Technical Field
This disclosure relates generally to security policy management for information technology (IT) systems.
Background of the Related Art
Information security is the process of providing a set of controls to manage risk with an end goal of demonstrating compliance with a set of regulations. Security policies specify how a set of controls operate and therefore to what extent risk may be capable of being managed. The specific values for attributes in a schema of any security policy can be modified, and such modifications may change the probability of both positive impact (effectiveness at managing risk) and negative impact (unhappy users, loss of productivity) on the environment which the policy is intended to protect.
For example, Data Loss Prevention (DLP) systems are well-known in the prior art and operate generally to identify, monitor use of, and to control user operations on, sensitive information within an enterprise computing environment. Typically, DLP systems provide a policy-based mechanism for managing how data is discovered and classified on a user's workstation or file server, also known as an “endpoint.” Policies must be distributed to, and enforced on, each endpoint. A representative DLP policy may be intended to limit the inappropriate use of sensitive content. Elements of a DLP policy that change its impact on the organization include, for example, the set of endpoints/users to which the policy is applied, the nature of the response when inappropriate use is detected (e.g. audit the event versus preventing the data leak by blocking user activity), and the strictness of the identification of sensitive data (e.g. validation of check sums on numerical data, number of occurrences, size of training sets, etc.)
Information security professionals also are aware of the concept of risk-based security management. Nevertheless, security policy management as a technology domain typically does not express policy explicitly in a way that recognizes the original purpose of risk management. In this regard, most commercial policy management systems do not provide policy versioning; moreover, in those systems that do, policy versions do not link to risk assessment. This gap is usually caused by the lack of continuity and consistency from the business view of information security through to the implementation in IT systems. With increasing emphasis on IT more directly supporting business objectives, and with IT being applied to new problem domains (such as smart energy), an overt representation of the link between security policy and risk is desired.
Existing security solutions typically use a predefined set of security levels and do not allow user-defined versions of policies to be configured. They also do not provide any mechanism to enable a user to associate (with a security policy) a risk assessment determined by an organization. More significantly, such approaches do not provide any reference to the potential negative impact of changing security levels.
There is a need in the art to provide for techniques to enable those responsible for policy management within an organization with the ability to link in a quantitative description of risk.